As frequent F5 blog readers are aware, we've released the third edition of the State of Application Delivery (SOAD) report. The 2017 report represents the survey results of nearly 2,200 executives and IT professionals and covers all aspects of application delivery including on-premises, hybrid cloud, and cloud. Several of the findings of the report touch on how the respondents relate to the security environment. Nearly one in five of the respondents have security titles, and in this post we'll focus on some of the items that are top-of-mind among their peers.
Surprisingly, four out of five respondents will be adopting multi-cloud strategies in 2017. And one of those five already have half or more of their applications in the cloud! But do organizations have enough cloud experts to deal with even a single cloud today? I know guys who are experts in AWS and they know nothing about Azure, and vice versa.
Perhaps unsurprisingly for anyone who reads my column (or Jon Oltsik’s), one in three organizations cite the security skills gap as a significant security challenge. We just aren’t training enough whitehats to keep up with all the blackhats who are training themselves around the world. There is a chance that the security skills gap will get closed by a magic combo of machine learning and automation; the DARPA Cyber Grand Challenge announced at DEF CON 24 is already pointing in that direction. But until that happens, hooray for security street cred.
Case in point: the SOAD report queried respondents to see which application services they plan to deploy in the next twelve months, and the number one answer, at 40%, is security.
The report asked survey participants about their strategies to defeat emerging threats, secure their applications, and protect their data. The good news for this year is that, in general, organizations feel more confident in their ability to deal with their top security challenges than last year.
In every challenge area except the skills gap, organizations feel slightly less freaked out. I asked Lori MacVittie, one of the report’s authors why this is:
“We think it means they’re less fearful, in general. We suppose that might be due to the fact that security budgets have been on the rise, and thus they’re able to put in place the solutions they need to address their challenges. It’s not in the public report, but ‘budget too small’ as a security challenge dropped from 41% in 2016 to 30% in 2017, hence our supposition.”
Globally, organizations with the most confidence in their ability to withstand an attack have expanded beyond a simple perimeter approach to security. Many plan to deploy DDoS mitigation (21 percent), DNSSEC protection (25 percent), and a web application firewall (20 percent) in the next year.
Every year the SOAD survey asks participants what they think the worst thing that they could deploy an application without.
Security takes top billing by an even greater margin than a year ago. In 2016, availability edged out security. Perhaps organizations are finally becoming aware that a breach can have a far longer lasting negative effect than an outage. The constant drumbeat of breaches is likely driving that awareness. That’s a good thing.
The most common answer to application security is, of course, the web application firewall (WAF). Over half of all cloud-first respondents report having a WAF deployed. That’s not too surprising, though it does make you wonder what the other 48% are doing...
Interested viewers can find the full 2017 State of Application Delivery report here.